CVE-2026-30967
Published: 10 March 2026
Summary
CVE-2026-30967 is a high-severity Improper Authentication (CWE-287) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the specific flaw in Parse Server's OAuth2 token-user binding verification through vendor patches to fixed versions.
Ensures robust management of OAuth2 identity providers and authorization servers, including verification of token authenticity and user binding to prevent impersonation.
Enforces secure configuration settings for the OAuth2 adapter, such as requiring the useridField option to enable proper token ownership verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Parse Server, a public-facing backend API, allows remote exploitation of an authentication flaw to impersonate users, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active…
more
via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Deeper analysisAI
CVE-2026-30967 affects Parse Server, an open source backend deployable on any Node.js infrastructure. In versions prior to 9.5.2-alpha.9 and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active using the provider's token introspection endpoint but does not confirm that the token belongs to the user identified by authData.id. This improper authentication mechanism, classified as CWE-287, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and impacts deployments using the generic OAuth2 adapter (configured with oauth2: true) lacking the useridField option.
An attacker with any valid OAuth2 token from the same provider can exploit this vulnerability over the network with low complexity and low privileges required, without user interaction. Successful exploitation enables authentication as any other user, potentially leading to high impacts on confidentiality, integrity, and availability through unauthorized access and actions under impersonated identities.
Mitigation is provided in Parse Server versions 9.5.2-alpha.9 and 8.6.22, which address the token ownership verification flaw. The GitHub security advisory GHSA-fr88-w35c-r596 and release notes for these versions detail the fix and recommend upgrading affected deployments.
Details
- CWE(s)